if I have a search that gives me something like this:
a b c 1 2 3 4 5 6 7 8 9
how do I add a column d that would do an operation (row2columnC - row1columnC, row3columnC - row2columnC ... all the way down ) in each cell in column d(jsut want to show the value in column d)
a b c d 1 2 3 3-0=3 4 5 6 6-3=3 7 8 9 9-6=3
I am thinking it would be
...| eval = ?? or something like this...
don't using eval
use the command
deltawho working like that:
For each event where field is a number, the `delta command` computes the difference, in search order, between the field value for the event and the field value for the previous event
next try this
your search |delta c as d
eval d=coalesce(d,c) do here? I can't seem to see the difference. Or do i need a null value to see it working?
all good answers here is a working example:
| makeresults count=3 | streamstats count as a | eval a=a+1 | streamstats count as b | eval b=b+10 | streamstats count as c | eval c=c+11 | delta a as a_dif p=1